Channels

Services

Savannah software forge compromised

Savannah, the open source software forge run by the GNU Project, is currently down following an SQL injection attack. According to a notice on the site, the attack lead to the "leaking of encrypted account passwords, some of them discovered by brute-force attack, leading in turn to project membership access".

The developers say that "While effort was made in the past to fix injection vulnerabilities in the Savane 2 legacy code base, it appears this was not enough", adding that they're currently in the processes of reinstalling the system and restoring the data from a backup from the 23rd of November. All changes between the 23rd and the 27th will be audited to see exactly what was compromised.

An update from early this morning notes that, after looking through all of the logs, it appears that there was no other account cracking. An online monitor is available for users interested in the current status of the site.